> -----Original Message----- > From: Alexander Bokovoy [mailto:aboko...@redhat.com] > Sent: Friday, May 8, 2015 10:21 AM > To: Andy Thompson > Cc: freeipa-users@redhat.com > Subject: Re: [Freeipa-users] multi homed environment > > On Fri, 08 May 2015, Andy Thompson wrote: > > > > > >> -----Original Message----- > >> From: Alexander Bokovoy [mailto:aboko...@redhat.com] > >> Sent: Friday, May 8, 2015 9:40 AM > >> To: Andy Thompson > >> Cc: freeipa-users@redhat.com > >> Subject: Re: [Freeipa-users] multi homed environment > >> > >> On Fri, 08 May 2015, Andy Thompson wrote: > >> >> -----Original Message----- > >> >> From: Alexander Bokovoy [mailto:aboko...@redhat.com] > >> >> Sent: Friday, May 8, 2015 8:17 AM > >> >> To: Andy Thompson > >> >> Cc: freeipa-users@redhat.com > >> >> Subject: Re: [Freeipa-users] multi homed environment > >> >> > >> >> On Fri, 08 May 2015, Andy Thompson wrote: > >> >> >I'm trying to roll out IPA in an existing windows environment > >> >> >where everything is multi homed. I did not put my IPA server on > >> >> >all the subnets. > >> >> > > >> >> >I'm having an issue with adding a trust to the domain with the > >> >> >error below > >> >> > > >> >> >ipa: ERROR: CIFS server communication error: code "-1073741801", > >> >> > message "Memory allocation error" (both may be > >> >> >"None") > >> >> > > >> >> >DNS I think since it round robins all the existing A records and > >> >> >is returning IPs out of the local subnet. I don't know much > >> >> >about windows dns services but it's got netmask optimization > >> >> >enabled and doing digs against the service returns the local IP > >> >> >first every time, but pings return them in any order. > >> >> > > >> >> >I've considered adding the DCs to the local hosts file but I'm > >> >> >not sure if that will solve the problem or not. Is that a viable fix? > >> >> > > >> >> >Anyone have any experience in an environment like this? Really not > >> >> >sure what additional problems I will run into with all this multi > >> >> >homed nonsense. > >> >> Stop here and make sure you obtained the debugging information as > >> >> described in > >> >> > >> > http://www.freeipa.org/page/Active_Directory_trust_setup#Debugging_tr > >> >> u > >> >> st > >> >> > >> >> Without that information it is hard to tell what is happening. > >> >> > >> >> Make also sure to tell exact environment (distribution, version, > >> >> package versions, etc). > >> >> > >> > > >> >Well things got ugly. I enabled debug and pointed in the right > >> >direction, smb failed to start. Came down to the cifs service was > >> >not added when I did the adtrust-install. I tried adding it and it > >> >complained that it could not find the A record for the host even > >> >though it was there. Thinking something was hung up in resolver > >> >cache possibly I restarted the ipa service and it failed completely. > >> > > >> >Ipactl start fails starting smb because of the missing service and > >> >everything fails from there. > >> > > >> >Is there any way to recover from this mess I just made? :) > >> I assume you have IPA 4.x, i.e. systemd-based environment. > >> > > > >Yes, sorry forgot to include that. > > > >> 1. Start manually dirsrv@INSTANCE-NAME.service > >> > >> 2. Disable ADTRUST and EXTID services with ipa-ldap-updater. > >> Note that you SHOULD NOT replace $FOO variables below, they should be > >> as specified in the resulting file. For ipa-ldap-updater use see its > >> manual page and my blog: > >> https://vda.li/en/posts/2015/01/02/playing-with-freeipa-ipa-ldap-upda > >> ter/ > >> > >> # cat <END >88-disable-adtrust-extid.update > >> dn: cn=ADTRUST,cn=$FQDN,cn=masters,cn=ipa,cn=etc,$SUFFIX > >> remove:ipaConfigString:enabledService > >> > >> dn: cn=EXTID,cn=$FQDN,cn=masters,cn=ipa,cn=etc,$SUFFIX > >> remove:ipaConfigString:enabledService > >> END > >> > >> # ipa-ldap-updater -l ./88-disable-adtrust-extid.update > >> > >> 3. Restart IPA > >> > >> 4. Re-run ipa-adtrust-install and look at the output, including what > >> it appends to /var/log/ipaserver-install.log. > >> > > > >Beautiful, that much is running again, thanks for those pointers. > > > >And I'm ashamed to say I tracked down the issue to a fat finger in the > >resolv.conf file, so it really couldn't look up the needed record :/ > > > >So back to the original issue that was in the end because smb wasn't > >started most likely. I'm still not sure how this will all respond in a > >multi homed environment like this if the IPA server cannot communicate > >with all of the interfaces on the DC. Will that cause an issue with > >the trust or is there anything I need to take into consideration with > >this? > There are few things to consider: > > 1. IPA master uses DNS SRV records to discover whom to talk to on AD side. > Received name from the SRV record is them used by IPA master to connect > to the AD DC. > > 2. AD DCs use DNS SRV records to discover which IPA master to respond to > when verifying trust. Received name from the SRV record is then used by AD > DC to connect to the IPA master. > > 3. While right now trust is established using password-based authentication > between IPA and AD DCs, actual resolution of identities when trust is in use > requires working Kerberos authentication. This might give you a headache in > multi-homed environments if the IP returned when resolving AD DC or IPA > master would be unreachable. > > In any case, it is mostly a question of correct routing tables and DNS name > resolution. >
IPA will only ever return a single address, it's the AD side I'm concerned about because it's a mess. I can't route to the other interfaces of the DC because IPA and the DC both share a net right now. Will adding the DC ip addresses to the IPA host files work around the potential for the problem? I don't know that I can guarantee the windows DNS doing anything I expect it to :) -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project